Threat Intelligence Security Center release notes

  • Release version: Australia
  • Updated March 12, 2026
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Intelligence Security Center release notes

    The ServiceNow Threat Intelligence Security Center (TISC) is a native AI-powered platform designed to streamline the ingestion, enrichment, investigation, response, and sharing of threat intelligence. The Australia release, updated March 12, 2026, introduces significant enhancements that improve efficiency and capabilities for security teams defending against cyber threats. TISC is available via the ServiceNow Store and integrates closely with other ServiceNow security applications.

    Show full answer Show less

    Key Features

    • Now Assist Case Summarization: Analysts can generate concise AI-driven summaries of threat cases, including overviews, key findings, actions, and recommended next steps.
    • Playbooks in Case Management: Provides guided, stage-based workflows to enhance investigative processes.
    • Historical Data and Flexible Expiration in Splunk Add-on: Enables ingestion of historical threat data with improved expiration handling.
    • Enhanced Relationship Graph: Supports filtering and faster rendering to analyze threat relationships more effectively.
    • MITRE ATT&CK Enhancements: Includes combined Techniques and Tactics regex extraction types for better mapping of threat intelligence.
    • CrowdStrike Feed Enhancements: Added malware ingestion with structured tagging for threat actors, enabling detailed filtering by capabilities, targets, and origins.
    • Have I Been Pwned (HIBP) Integration: Enriches observables to identify exposure in known data breaches.
    • Automated Tagging and Relationship Linking: Configurable tagging rules for RSS feeds, and support for creating and linking entities such as CWEs, remediations, products, vendors, and vulnerabilities.
    • Zero Day Vulnerability Automation: Automatically generates zero day vulnerability records from flagged RSS feeds, with linked CPE, CWE, and CVE details.
    • Vulnerability and Incident Management: Allows initiation of vulnerability assessments and creation of security incidents directly from vulnerability records, streamlining risk evaluation and response workflows.
    • UI Improvements: Enhanced categorization in the Threat Intelligence Library and new buttons for vulnerability assessments and incident creation for easier navigation and action.
    • Expanded Threat Intelligence Catalog: Includes real-time RSS feed from Google Project Zero for emerging threat detection.
    • STIX 2.1 Export Enhancements: Supports Traffic Light Protocol (TLP) markings for improved outbound intelligence sharing.

    Activation and Licensing

    TISC can be installed from the ServiceNow Store. The ServiceNow AI Platform now offers three licensing tiers—Foundation, Advanced, and Prime—each providing progressively advanced AI capabilities and features relevant to TISC users depending on entitlements.

    Integration with Related ServiceNow Security Applications

    • Threat Intelligence: Displays indicators of compromise and enriches security incidents.
    • Security Incident Response: Manages the full incident lifecycle with analytic dashboards and reporting.
    • Vulnerability Response: Connects security with IT to accelerate response and improve security posture.
    • Common Security Operations Functionality: Shared plugins streamline activation and integration of Security Operations applications.

    Practical Benefits for ServiceNow Customers

    With the Australia release of TISC, security teams can expect more efficient threat case analysis through AI summarization, guided investigation workflows, enhanced threat data ingestion, and improved integration with vulnerability and incident management processes. The enhancements to data models, tagging, and relationship mapping enable deeper, faster insight into threat landscapes. Customers benefit from real-time threat detection feeds and automated workflows that accelerate response times and improve overall security operations effectiveness.

    The ServiceNow® Threat Intelligence Security Center application is a threat intelligence platform built natively on the ServiceNow AI Platform to operationalize threat intelligence from feed ingestion and enrichment to investigation, response, and sharing. TISC enables security teams to act efficiently on intelligence and defend against threats. TISC was enhanced and updated in the Australia release.

    Threat Intelligence Security Center highlights for the Australia release

    • Introduced Now Assist Case Summarization skill that analysts can use to generate concise, AI-based case summaries.
    • Added playbooks support in Case Management, giving analysts a guided, stage-based workflow for investigations.
    • Added historical data ingestion and flexible expiration handling to TISC Add-on for Splunk Enterprise. 
    • Enhanced MITRE Extraction rule schema to add a combined Techniques and Tactics regex extraction type.
    • Enhanced Relationship Graph with filtering support and performance improvements.
    • Enhanced CrowdStrike feed to support ingestion of malwares.

    See Threat Intelligence Security Center for more information.

    Important:
    Threat Intelligence Security Center is available in the ServiceNow Store. For details, see the "Activation information" section of these release notes.

    New in the Australia release

    Australia Patch 3
    ServiceNow product tiers
    The ServiceNow AI Platform now brings you a new AI experience with three licensing tiers available:
    • Foundation: AI basics to deliver insights
    • Advanced: AI to boost productivity across relevant use cases
    • Prime: Act autonomously with all AI assets and create your own

    Depending on your entitlements, you will have access to certain application features, generative AI skills, agentic workflows, and AI agents.

    Summarize a Case with Now Assist for Threat Intelligence Security Center
    Now Assist for Threat Intelligence Security Center brings generative AI capabilities directly into threat intelligence workflows.  Analysts can generate concise AI-powered summaries of threat cases, including case overview, findings, key actions taken, and recommended next steps.
    Automatic Threat Actor priority tagging
    Enable automatic tagging of threat actors based on their origin locations.
    Configure TISC add-on in Splunk
    TISC Add-on for Splunk Enterprise adds historical data ingestion and flexible expiration handling.
    Link nodes in the Relationship Graph
    The relationship graphs show immediate relationships to the home node for quick rendering of the graph. Filters enable analysts to narrow down to specific nodes and relationships. 
    MITRE ATT&CK Technique Extraction Rules
    Enhanced MITRE™ extraction rule schema to add a combined Techniques and tactics regex extraction type.
    Threat Hunting Playbook
    Threat hunting playbook is now available out of the box. Analysts can use Playbooks for case management as a guided, stage-based workflow for investigations.
    View Premium Threat Feed for CrowdStrike
    Enhanced CrowdStrike premium Threat feed by adding Malware to the record types to ingest. Threat Actor records now link to Malware through uses and develops relationships, and to Location through originates-from and targets relationships. Report and Indicator records are linked to Malware through associated-with. Threat Actor records ingested from CrowdStrike now represent capabilities, target industries, target regions, target countries, and origins as structured tags rather than free-text, additional context fields. Users can use these attributes as filters.
    Have I Been Pwned integration
    Added support in TISC for Have I been pwned? (HIBP) observable enrichment, enabling analysts to identify whether observables have been exposed in known data breaches instances.
    Configure Tagging Rules in TISC
    Introduced automated tagging of RSS feed records using configurable tagging rules to apply tags and taxonomies.
    Create a CWE record
    Introduced CWEs as related entities with support for relationship linking.
    Create Remediations
    Introduced remediations as related entities with support for relationship linking and added support for managing remediations.
    Create a Product
    Introduced products as related entities with support for relationship linking.
    Create a Vendor to a Vulnerability
    Associated vendors as related entities with support for relationship linking.
    Automated creation of zero day vulnerability
    Automatically generate zero day vulnerability records from flagged RSS feeds with extracted and linked CPE, CWE, and CVE details for enhanced threat analysis. The catalog now includes the RSS feed for Google Project Zero, enabling real-time detection of emerging threats.
    Create Vulnerability Assessment from a Vulnerability
    Initiate vulnerability assessments directly from identified issues for faster risk evaluation. Sample workflows and flow actions are included to automate the assessment process.
    Create Security Incident from a Vulnerability Record
    Create security incident records directly from detected vulnerabilities to expedite incident response and streamline threat management workflows.
    Enable security incidents for vulnerabilities
    View vulnerabilities and related intelligence in the TISC Context tab of Security Incident Response Workspace, allowing analysts to quickly access risk data during investigations without navigating to separate records.

    UI changes

    TISC Library Repository
    Enhanced Threat Intelligence Library list views by grouping observables, indicators, threat entities, RSS feed, and vulnerability artifacts into appropriate categories for improved navigation.
    Create Vulnerability Assessment from a Vulnerability
    Introduced a new button Create Vulnerability Assessment to conduct a vulnerability assessment for a specific vulnerability.
    Create Security Incident from a Vulnerability Record
    Introduced a new button Create Security Incident to facilitate identifying vulnerabilities and enable faster incident response within the threat analysis.
    Threat Intelligence Security Center Catalog
    Introduced a new catalog entry which includes the RSS feed for Google Project Zero, enabling real-time detection of emerging threats.

    Changed in this release

    MITRE ATT&CK Technique Extraction Rules and View extracted MITRE ATT&CK Techniques
    Enabled MITRE-ATT&CK extraction rules for RSS feed to map and associate MITRE-ATT&CK techniques.
    View RSS Feeds
    Enhanced the RSS feed schema and parsers to support additional fields, including tags, taxonomies, status, and expiration time.
    Export intelligence data, Sharing of Outbound Intelligence Records from GUI, and Add to TAXII Collections from Library List View
    Enhanced STIX 2.1 export to include Traffic Light Protocol (TLP) definitions applied to intelligence objects as TLP 2.0 marking definition objects. For more information, see Marking Definition.
    System properties for TISC Reports
    The system property sn_sec_tisc.reporting.email_template_sn_sec_tisc_case is no longer supported in TISC. It has been renamed to sn_sec_tisc.default_report_email_template, effective with the latest release.
    Configure custom MISP API feed
    Enhanced MISP API feed ingestion to handle events when the published timestamp is greater than the modified timestamp.
    Define Vulnerability and Access the Vulnerability Entities
    Enhanced the vulnerability schema to support additional vulnerability intelligence fields related to CVSS scoring, exploit details, and remediation information.

    Activation information

    Install Threat Intelligence Security Center by requesting it from the ServiceNow Store. Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Related ServiceNow applications and features

    Threat Intelligence
    The ServiceNow Threat Intelligence application displays indicators of compromise (IoC) and enables you to enrich security incidents with threat intelligence data.
    Security Incident Response
    With Security Incident Response manage the life cycle of your security incidents from initial analysis to containment, eradication, and recovery. Security Incident Response enables you to get a comprehensive understanding of incident response procedures performed by your analysts, and understand trends and bottlenecks in those procedures with analytic-driven dashboards and reporting.
    Vulnerability Response
    Vulnerability Response is part of the Security Operations application suite. Together, these applications connect security to your IT department, increase the speed and efficiency of your response, and give you a definitive view of your security posture.
    Security Operations common functionality
    The Security Support Common plugin is activated when any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated.